From 5d8d82d529597010bcd1ece30aec5b1a8d5ff905 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 24 Aug 2023 23:50:56 +0200 Subject: add nftables prometheus exporter --- roles/monitoring/prometheus/exporter/meta/main.yml | 2 + .../prometheus/exporter/nftables/defaults/main.yml | 2 + .../prometheus/exporter/nftables/handlers/main.yml | 10 ++++ .../prometheus/exporter/nftables/tasks/main.yml | 55 ++++++++++++++++++++++ .../exporter/nftables/templates/config.yml.j2 | 4 ++ .../exporter/nftables/templates/service.j2 | 31 ++++++++++++ .../prometheus/server/defaults/main/main.yml | 1 + .../server/defaults/main/rules_nftables.yml | 11 +++++ 8 files changed, 116 insertions(+) create mode 100644 roles/monitoring/prometheus/exporter/nftables/defaults/main.yml create mode 100644 roles/monitoring/prometheus/exporter/nftables/handlers/main.yml create mode 100644 roles/monitoring/prometheus/exporter/nftables/tasks/main.yml create mode 100644 roles/monitoring/prometheus/exporter/nftables/templates/config.yml.j2 create mode 100644 roles/monitoring/prometheus/exporter/nftables/templates/service.j2 create mode 100644 roles/monitoring/prometheus/server/defaults/main/rules_nftables.yml diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml index 10a251f4..0b466ac9 100644 --- a/roles/monitoring/prometheus/exporter/meta/main.yml +++ b/roles/monitoring/prometheus/exporter/meta/main.yml @@ -25,4 +25,6 @@ dependencies: when: "'modbus' in (prometheus_exporters_default | union(prometheus_exporters_extra))" - role: monitoring/prometheus/exporter/chrony when: "'chrony' in (prometheus_exporters_default | union(prometheus_exporters_extra))" + - role: monitoring/prometheus/exporter/nftables + when: "'nftables' in (prometheus_exporters_default | union(prometheus_exporters_extra))" - role: monitoring/prometheus/exporter/register diff --git a/roles/monitoring/prometheus/exporter/nftables/defaults/main.yml b/roles/monitoring/prometheus/exporter/nftables/defaults/main.yml new file mode 100644 index 00000000..c4c42756 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nftables/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# prometheus_exporter_nftables_version: diff --git a/roles/monitoring/prometheus/exporter/nftables/handlers/main.yml b/roles/monitoring/prometheus/exporter/nftables/handlers/main.yml new file mode 100644 index 00000000..a78363f8 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nftables/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart prometheus-nftables-exporter + service: + name: prometheus-nftables-exporter + state: restarted + +- name: reload nginx + service: + name: nginx + state: reloaded diff --git a/roles/monitoring/prometheus/exporter/nftables/tasks/main.yml b/roles/monitoring/prometheus/exporter/nftables/tasks/main.yml new file mode 100644 index 00000000..47022026 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nftables/tasks/main.yml @@ -0,0 +1,55 @@ +--- +- name: generate apt pin file for exporter-nftables package + when: prometheus_exporter_nftables_version is defined + copy: + dest: "/etc/apt/preferences.d/prom-exporter-nftables.pref" + content: | + Package: prom-exporter-nftables + Pin: version {{ prometheus_exporter_nftables_version }}-1 + Pin-Priority: 1001 + +- name: remove apt pin file for exporter-nftables package + when: prometheus_exporter_nftables_version is not defined + file: + path: "/etc/apt/preferences.d/prom-exporter-nftables.pref" + state: absent + +- name: install apt packages + apt: + name: "prom-exporter-nftables{% if prometheus_exporter_nftables_version is defined %}={{ prometheus_exporter_nftables_version }}-1{% endif %}" + state: present + allow_downgrade: yes + notify: restart prometheus-nftables-exporter + +- name: create config directory + file: + path: /etc/prometheus/exporter/nftables + state: directory + +- name: generate configuration + template: + src: config.yml.j2 + dest: /etc/prometheus/exporter/nftables/config.yml + notify: restart prometheus-nftables-exporter + +- name: generate systemd service unit + template: + src: service.j2 + dest: /etc/systemd/system/prometheus-nftables-exporter.service + notify: restart prometheus-nftables-exporter + +- name: make sure prometheus-nftables-exporter is enabled and started + systemd: + name: prometheus-nftables-exporter.service + daemon_reload: yes + state: started + enabled: yes + +- name: register exporter + copy: + content: | + location = /nftables { + proxy_pass http://127.0.0.1:9630/metrics; + } + dest: /etc/prometheus/exporter/nftables.locations + notify: reload nginx diff --git a/roles/monitoring/prometheus/exporter/nftables/templates/config.yml.j2 b/roles/monitoring/prometheus/exporter/nftables/templates/config.yml.j2 new file mode 100644 index 00000000..07c32bd1 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nftables/templates/config.yml.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +nftables_exporter: + bind_to: "127.0.0.1:9630" diff --git a/roles/monitoring/prometheus/exporter/nftables/templates/service.j2 b/roles/monitoring/prometheus/exporter/nftables/templates/service.j2 new file mode 100644 index 00000000..b22d9582 --- /dev/null +++ b/roles/monitoring/prometheus/exporter/nftables/templates/service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=Prometheus nftables exporter +After=systemd-modules-load.service + +[Service] +Restart=always +User=prometheus-exporter +ExecStart=/usr/bin/prometheus-nftables-exporter --config=/etc/prometheus/exporter/nftables/config.yml +ExecReload=/bin/kill -HUP $MAINPID + +# systemd hardening-options +AmbientCapabilities=CAP_NET_ADMIN +CapabilityBoundingSet=CAP_NET_ADMIN +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml index 1e0dcf32..7a9adde4 100644 --- a/roles/monitoring/prometheus/server/defaults/main/main.yml +++ b/roles/monitoring/prometheus/server/defaults/main/main.yml @@ -38,6 +38,7 @@ prometheus_server_rules: standalone-kubelet: "{{ prometheus_server_rules_standalone_kubelet + prometheus_server_rules_standalone_kubelet_extra }}" modbus: "{{ prometheus_server_rules_modbus + prometheus_server_rules_modbus_extra }}" modbus/probe: "{{ prometheus_server_rules_modbus__probe + prometheus_server_rules_modbus__probe_extra }}" + nftables: "{{ prometheus_server_rules_nftables + prometheus_server_rules_nftables_extra }}" # prometheus_server_alertmanager: # url: "127.0.0.1:9093" diff --git a/roles/monitoring/prometheus/server/defaults/main/rules_nftables.yml b/roles/monitoring/prometheus/server/defaults/main/rules_nftables.yml new file mode 100644 index 00000000..8ce0b1c9 --- /dev/null +++ b/roles/monitoring/prometheus/server/defaults/main/rules_nftables.yml @@ -0,0 +1,11 @@ +--- +prometheus_server_rules_nftables_extra: [] +prometheus_server_rules_nftables: + - alert: NftablesFailedToReadRuleset + expr: nftables_up == 0 + for: 2m + labels: + severity: warning + annotations: + summary: Unable to read nftables ruleset (instance {{ '{{' }} $labels.instance {{ '}}' }}) + description: "The nftables collector failed to read the ruleset from the kernel.\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS = {{ '{{' }} $labels {{ '}}' }}" -- cgit v1.2.3